3586435ac9cbd620903b3adc22472f1097e08c45eab583ad7f080373d44155c0

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c63ac9944b39620e65536427972aa33_JaffaCakes118.exe
Size

143KB
MD5

4c63ac9944b39620e65536427972aa33
SHA1

b84f1fe163313d0dcebcdc0cff95bf22762dd858
SHA256

3586435ac9cbd620903b3adc22472f1097e08c45eab583ad7f080373d44155c0
SHA512

72a3ae4bad6b2d580161885cc04267986667816d3a5049fd44bd0a9d15203b5d3799ec4da140c4675503fef1a34dff93d3f55db42d5aa2c1b96e07b2b2e803d9
SSDEEP

3072:gGcsGdq65m3bb3/QS3N93bsGfhv0vt3y:gGcsGdzm3P3/QS3vLsGZv0vti

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/4392-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000e000000023b8a-6.dat	family_berbew
behavioral2/memory/4084-8-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9d-14.dat	family_berbew
behavioral2/memory/4580-16-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9f-23.dat	family_berbew
behavioral2/memory/3172-24-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba1-31.dat	family_berbew
behavioral2/files/0x000a000000023ba3-39.dat	family_berbew
behavioral2/files/0x000a000000023ba5-46.dat	family_berbew
behavioral2/memory/60-48-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/4704-47-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/4444-36-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba8-54.dat	family_berbew
behavioral2/memory/2496-56-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023baa-63.dat	family_berbew
behavioral2/memory/4152-64-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bac-71.dat	family_berbew
behavioral2/memory/4640-72-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bae-78.dat	family_berbew
behavioral2/memory/4980-80-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb0-86.dat	family_berbew
behavioral2/memory/4928-87-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb2-94.dat	family_berbew
behavioral2/memory/4092-96-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bb4-102.dat	family_berbew
behavioral2/memory/1992-103-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bb6-110.dat	family_berbew
behavioral2/memory/4632-112-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb8-118.dat	family_berbew
behavioral2/memory/4544-119-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bba-126.dat	family_berbew
behavioral2/memory/2148-128-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbc-134.dat	family_berbew
behavioral2/memory/532-136-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbe-142.dat	family_berbew
behavioral2/memory/936-144-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc0-150.dat	family_berbew
behavioral2/memory/2460-156-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc2-158.dat	family_berbew
behavioral2/memory/3632-160-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc4-166.dat	family_berbew
behavioral2/memory/2332-172-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc6-175.dat	family_berbew
behavioral2/memory/4984-180-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc8-183.dat	family_berbew
behavioral2/memory/3724-184-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bca-190.dat	family_berbew
behavioral2/memory/2932-191-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcc-198.dat	family_berbew
behavioral2/memory/1252-200-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bce-207.dat	family_berbew
behavioral2/memory/716-208-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd0-214.dat	family_berbew
behavioral2/memory/968-220-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd2-223.dat	family_berbew
behavioral2/files/0x000a000000023bd4-230.dat	family_berbew
behavioral2/memory/1836-229-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/3760-232-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd6-238.dat	family_berbew
behavioral2/memory/4488-240-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd8-246.dat	family_berbew
behavioral2/memory/2172-248-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bda-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4084	Ejbkehcg.exe
4580	Epmcab32.exe
3172	Ebnoikqb.exe
4444	Ejegjh32.exe
4704	Ehhgfdho.exe
60	Epopgbia.exe
2496	Eleplc32.exe
4152	Eodlho32.exe
4640	Efneehef.exe
4980	Eofinnkf.exe
4928	Efpajh32.exe
4092	Eqfeha32.exe
1992	Ffbnph32.exe
4632	Fmmfmbhn.exe
4544	Fbioei32.exe
2148	Ficgacna.exe
532	Fomonm32.exe
936	Fjcclf32.exe
2460	Fqmlhpla.exe
3632	Fckhdk32.exe
2332	Fihqmb32.exe
4984	Fqohnp32.exe
3724	Fobiilai.exe
2932	Fmficqpc.exe
1252	Gmhfhp32.exe
716	Gbenqg32.exe
968	Giofnacd.exe
1836	Gqfooodg.exe
3760	Gcekkjcj.exe
4488	Gjocgdkg.exe
2172	Gqikdn32.exe
5048	Gbjhlfhb.exe
5064	Gjapmdid.exe
1260	Gidphq32.exe
5016	Gpnhekgl.exe
2304	Gfhqbe32.exe
2212	Gifmnpnl.exe
1020	Gameonno.exe
548	Hclakimb.exe
3548	Hfjmgdlf.exe
4692	Hjfihc32.exe
2532	Hmdedo32.exe
2432	Hpbaqj32.exe
5084	Hbanme32.exe
2612	Hikfip32.exe
2372	Habnjm32.exe
4480	Hcqjfh32.exe
4472	Hfofbd32.exe
4160	Hmioonpn.exe
220	Hpgkkioa.exe
636	Hjmoibog.exe
1620	Hippdo32.exe
4296	Haggelfd.exe
1812	Hbhdmd32.exe
4872	Hibljoco.exe
1744	Haidklda.exe
2312	Ipldfi32.exe
3300	Ijaida32.exe
1036	Iidipnal.exe
3684	Ipnalhii.exe
4460	Ibmmhdhm.exe
1040	Imbaemhc.exe
3316	Ipqnahgf.exe
4824	Ifjfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Eleplc32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Epmcab32.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6624	6456	WerFault.exe	256

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4084	4392	4c63ac9944b39620e65536427972aa33_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4084	4392	4c63ac9944b39620e65536427972aa33_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4084	4392	4c63ac9944b39620e65536427972aa33_JaffaCakes118.exe	84
PID 4084 wrote to memory of 4580	4084	Ejbkehcg.exe	85
PID 4084 wrote to memory of 4580	4084	Ejbkehcg.exe	85
PID 4084 wrote to memory of 4580	4084	Ejbkehcg.exe	85
PID 4580 wrote to memory of 3172	4580	Epmcab32.exe	86
PID 4580 wrote to memory of 3172	4580	Epmcab32.exe	86
PID 4580 wrote to memory of 3172	4580	Epmcab32.exe	86
PID 3172 wrote to memory of 4444	3172	Ebnoikqb.exe	87
PID 3172 wrote to memory of 4444	3172	Ebnoikqb.exe	87
PID 3172 wrote to memory of 4444	3172	Ebnoikqb.exe	87
PID 4444 wrote to memory of 4704	4444	Ejegjh32.exe	88
PID 4444 wrote to memory of 4704	4444	Ejegjh32.exe	88
PID 4444 wrote to memory of 4704	4444	Ejegjh32.exe	88
PID 4704 wrote to memory of 60	4704	Ehhgfdho.exe	89
PID 4704 wrote to memory of 60	4704	Ehhgfdho.exe	89
PID 4704 wrote to memory of 60	4704	Ehhgfdho.exe	89
PID 60 wrote to memory of 2496	60	Epopgbia.exe	90
PID 60 wrote to memory of 2496	60	Epopgbia.exe	90
PID 60 wrote to memory of 2496	60	Epopgbia.exe	90
PID 2496 wrote to memory of 4152	2496	Eleplc32.exe	91
PID 2496 wrote to memory of 4152	2496	Eleplc32.exe	91
PID 2496 wrote to memory of 4152	2496	Eleplc32.exe	91
PID 4152 wrote to memory of 4640	4152	Eodlho32.exe	92
PID 4152 wrote to memory of 4640	4152	Eodlho32.exe	92
PID 4152 wrote to memory of 4640	4152	Eodlho32.exe	92
PID 4640 wrote to memory of 4980	4640	Efneehef.exe	94
PID 4640 wrote to memory of 4980	4640	Efneehef.exe	94
PID 4640 wrote to memory of 4980	4640	Efneehef.exe	94
PID 4980 wrote to memory of 4928	4980	Eofinnkf.exe	95
PID 4980 wrote to memory of 4928	4980	Eofinnkf.exe	95
PID 4980 wrote to memory of 4928	4980	Eofinnkf.exe	95
PID 4928 wrote to memory of 4092	4928	Efpajh32.exe	96
PID 4928 wrote to memory of 4092	4928	Efpajh32.exe	96
PID 4928 wrote to memory of 4092	4928	Efpajh32.exe	96
PID 4092 wrote to memory of 1992	4092	Eqfeha32.exe	97
PID 4092 wrote to memory of 1992	4092	Eqfeha32.exe	97
PID 4092 wrote to memory of 1992	4092	Eqfeha32.exe	97
PID 1992 wrote to memory of 4632	1992	Ffbnph32.exe	98
PID 1992 wrote to memory of 4632	1992	Ffbnph32.exe	98
PID 1992 wrote to memory of 4632	1992	Ffbnph32.exe	98
PID 4632 wrote to memory of 4544	4632	Fmmfmbhn.exe	99
PID 4632 wrote to memory of 4544	4632	Fmmfmbhn.exe	99
PID 4632 wrote to memory of 4544	4632	Fmmfmbhn.exe	99
PID 4544 wrote to memory of 2148	4544	Fbioei32.exe	100
PID 4544 wrote to memory of 2148	4544	Fbioei32.exe	100
PID 4544 wrote to memory of 2148	4544	Fbioei32.exe	100
PID 2148 wrote to memory of 532	2148	Ficgacna.exe	101
PID 2148 wrote to memory of 532	2148	Ficgacna.exe	101
PID 2148 wrote to memory of 532	2148	Ficgacna.exe	101
PID 532 wrote to memory of 936	532	Fomonm32.exe	103
PID 532 wrote to memory of 936	532	Fomonm32.exe	103
PID 532 wrote to memory of 936	532	Fomonm32.exe	103
PID 936 wrote to memory of 2460	936	Fjcclf32.exe	104
PID 936 wrote to memory of 2460	936	Fjcclf32.exe	104
PID 936 wrote to memory of 2460	936	Fjcclf32.exe	104
PID 2460 wrote to memory of 3632	2460	Fqmlhpla.exe	105
PID 2460 wrote to memory of 3632	2460	Fqmlhpla.exe	105
PID 2460 wrote to memory of 3632	2460	Fqmlhpla.exe	105
PID 3632 wrote to memory of 2332	3632	Fckhdk32.exe	106
PID 3632 wrote to memory of 2332	3632	Fckhdk32.exe	106
PID 3632 wrote to memory of 2332	3632	Fckhdk32.exe	106
PID 2332 wrote to memory of 4984	2332	Fihqmb32.exe	107

C:\Users\Admin\AppData\Local\Temp\4c63ac9944b39620e65536427972aa33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c63ac9944b39620e65536427972aa33_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\Ejbkehcg.exe
  C:\Windows\system32\Ejbkehcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\Epmcab32.exe
    C:\Windows\system32\Epmcab32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\Ebnoikqb.exe
      C:\Windows\system32\Ebnoikqb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        23⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        25⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        26⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        29⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        43⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        45⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        48⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        54⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        55⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        59⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        61⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        63⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        65⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2856
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        70⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        71⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        72⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:228
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        77⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        78⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        79⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        80⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        81⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        82⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        85⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        86⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        91⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        95⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        96⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        97⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        99⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        101⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        102⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        103⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        105⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        106⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        107⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        109⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        110⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        111⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        112⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        115⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        119⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        122⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        123⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3092
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        134⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        135⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        136⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        137⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        138⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        140⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        144⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        146⤵
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        149⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        152⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        153⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        160⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        161⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        162⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        164⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        166⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 400
        167⤵
        Program crash
        
        PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6456 -ip 6456
1⤵
PID:6568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
143KB

MD5
dfa8bc998c65c0099f5d6e16c3f7258f

SHA1
e66e279f4ea58b077dba49bb3f2f55beae88df2f

SHA256
8d335b40e4acddc9b449682e9035aba7a5b927fbd33a1c21b3148e76e69b58f6

SHA512
70cc796732431af8fd2d1f446eae692cdc9148a2c3038cd8419025b96bdd0cad4a491468a384610221b6ce093c78d00fe8d8bbf12e4990e5fdf68f24f0f0b421

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
143KB

MD5
ead88d4be7dbcb1a5cdc4fc97bd23c6d

SHA1
00b2cf18aea8867c63f60a596b2867425ddafab7

SHA256
79fd3d3f94a0d9e9fda7cfa11ebd19ba5647e0463a265aeec193c5b215c5335e

SHA512
fe8ff00542b0769cddeedaed23ec2fe9c68685f42673eb38c683e40e9d134b11c44861bafa998e2ba4317291f3b7560228e971e88340d38a8b2acce88c982a48

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
143KB

MD5
64d3b1f636236008ac5ca865e7373d06

SHA1
eefd607fd317caca54f358b3b6b9a90a7de8e24f

SHA256
ed426c087d8bcfa9d12e076ba482ecb4b54a945a77c46b4f6d402a7e15fe3d26

SHA512
6bc65ae5aa16e885e0b5b8db7dc6944a685b3a2c1d3601fc83a689a0c81fa08b01123b492a1bbc772ab04831e52f8be08161dbbcdba887ab2808ce8d4fc0ab19

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
143KB

MD5
47258f9f04d23bf25d226eadd6837eb5

SHA1
a7f1d7dc69bf7fd01a55615ad793bca7785b855e

SHA256
ac4082bedc122a254f509bb829d15fa1af559646489076eccf2b5a782582dfce

SHA512
e6d1377f1afd94fc146d99b65506becd46d411e86f1e182c15d9da45ac2dec60eed9a48ef3cd1bf205cda588336b7e6b0bf1eee65aa0ff279754a20d34428003

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
143KB

MD5
098d41050b0441a16b1ad3835d12299c

SHA1
53e0061b18384bde7572d4a71126b08dcf0a6788

SHA256
eccc33a04866e694bf87416d7b43fbdca7f71e1aec08505ec2b296db5a759d85

SHA512
15b3e14c3ac0c0ddfc25543f82ad8b7d66ad9e0308ebba3aa18d7b6dcf5fd17f80a7977d1d10b2d237a7645514b0c91d1cda876760d0e89ced65244fd76948fe

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
143KB

MD5
c396e9e68fa2f946267b4adc93d1e67d

SHA1
cd2891ef25c45d4707a485be726f2ce9c899018b

SHA256
c2bd16109db78025d70b470ed066fae8b7ea109c132d465aced8babc8a4fd6fe

SHA512
50d08972250763dbe4b0241b37b8a8c4bfa8a28d8af041b9cbd19a4c71c86a4020eba2c92e61ccbd3d4f5a1b60d55ec70676bd005d7673764ce789d1e0d57025

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
143KB

MD5
3e853cfe643cb89592eefd45015ae287

SHA1
1bee6032b9987479c67cefdeb5aa341aaee382d1

SHA256
42a0aae22221cec771ab598c88c3ef9397f298916f769356435ef29fd93c534b

SHA512
9595c052bc662c10e714ec0538ef45d8454b32458d6f8f584dac4571b395537bcd1c13f379339f4d6a1376d9768b93c403fcbf4846e302155103a2b3d26b2887

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
143KB

MD5
e1e7f9cbf0d3f3b057e9b67df08ae43e

SHA1
496239162e9f540b741ba3abf44d8ed9982da601

SHA256
05d709e82030f14bb020f1a85b76f4e4eeb905f7644333aa6141d11f3dcb74bd

SHA512
f5133b93d2395a7352153d08cc3877eb7a56fe258555d2fa25a78019b3cf021a2ca8d3d85fef35515834db2d2fb60514b8ca626fca4f4d9267bee78c76f06384

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
143KB

MD5
4cb77410f7df837b0a23d10f20522b57

SHA1
d66f01b6d09f44174600245aef0e74a7d0dee992

SHA256
880d5669edd025cf429e219aa4d7fe356eb64449761d931721a9d5b6b6230e26

SHA512
dc17e06de39794c6985a57597b3373267e54dc243fb2c0978736a4cdbc332ec35eede268b99a991eb014f6ef42db781e01f2d6c9cc097bbc4d0867b8071c0a62

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
143KB

MD5
1b839a936255e678fbaff4ee71cb4c31

SHA1
eb01304ec6d8c7abef9be39aff94f630d5b2b4d1

SHA256
dd9ba5bdabd77ec39cccde94b0482bb57f57af4ffc7e76f0e79abe1d5a13405b

SHA512
f47ffee8cbd0515b79285752b6b1e0762f2d89a5180abd6ddcac9195e2262812e7b424fbebd6c0be3630e125f09b02df72aa2ee50c4ff4d22fdabfa7b7bc0ea9

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
143KB

MD5
bea925eadf77ce4945042e0f4b2e6328

SHA1
f15dda97e97d662dd67d6d6777bf82ba95801271

SHA256
5cb14e45106f83d7833e792633b6196ccd177921dd51f92d8101bdc59d467358

SHA512
5c1dec45fedfc4e51957c70813cd8385b9b0eeb1619deeb2d731255f3c614ef3cac65a5a4343390a18b5c40ac8cfef0546cd1e2fb782b13727519e5876b341fa

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
143KB

MD5
92ccba1d31f78c0e48273393d5784ff6

SHA1
818ea7766ca800a5bc8012476d655424bf90aa55

SHA256
5d91894b9fe59a878e93f714a5c32e746cd38206f0e3082dbec795e2a39faa3b

SHA512
c1c848ffbd6141fc85256b9055f7eb732cf36f658fa709611b404e365da83c5a4a689b79af38c013da04c5b054ae97badd1fe874c32050fc4b8fc77909d10c08

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
143KB

MD5
f4adb59e13f7b01d3512061a79e702e3

SHA1
c4bd8380cfff0c91b23b4f440455064dbf6e0083

SHA256
d65724262e510b8a929660e0d15f8e07770ee5615b1c1f5953393184c199a195

SHA512
7e2f6b8b7fca3ebb03b96d207e799a816a7d2b38f9ecf8b60876b2bbf54d0b33b2aa9313597dfeebb2ce5220611d87e27a9dc024bd2e012091bd99eed3f69641

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
143KB

MD5
ce18dd3fd0d8357ecf1637b938eba413

SHA1
7553f0c571f6eed69a83f3d7d4f071af3db2cfab

SHA256
a28758872ed4cbd808f344cd5bbabd77c7d7661d1939e1f66ecc30ef4331bc9a

SHA512
24fd76e01e875d1197d0df69f9af479ed2218b444bd5d979369649615090bd385b5919b8cbdf369f127a985efe32d61ae10749f0465620517583a770e2898ddb

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
143KB

MD5
1d3ff04b66bc9580e827756d5ab7b250

SHA1
d9527020813bcde16018c4419350085b24adcc6d

SHA256
81e8d7142ad409e36b011fdf8c0e685dc86b2149b382d4ffe74eea4b4d96739f

SHA512
449323c65431836b7c1efc08c9ef2f10aee3b39dc634f4993125733d4fe0163582106e89c196a7b67fab90cc4a36b6e4326f49595958a04ea8f7b8e0d891ef9d

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
143KB

MD5
b3b805c995f3ab62b47bbfd1ea530f4b

SHA1
4bcf2b069683fbf74c15a06ae19dac02e199c822

SHA256
7ca080281742ed772ed271e23f824378a6b1c80667bfdebab494ea3647bb62e4

SHA512
5fd5c4788fb827617c738b4d924055db45cd41f3383b4d7906c12bbb68d7bcb7e5167ee0d38502424755a32f0f169caf319fda33f50a7d778335228b414d485f

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
143KB

MD5
a41617b095fc1024aac2f476f2b9cdf4

SHA1
c22a12bf74c38a24683f2c6c5fc8626bf8e479d4

SHA256
8b9f82b53453af07f60778482a8d7846effff902d26ebac0ddbf352285ebf368

SHA512
8fb5ec157fc14d857707f6518f0de07e940672c6540eac76edcfcc2ffb2858c1e825af297419693d91b01029cc4c6126e96d30c7c858f6313c5e01fdf4324308

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
143KB

MD5
05d4a982eda8537fbb2aaea77853e16a

SHA1
9bb4efd313e7a2f3d62901186ec519a813623abf

SHA256
2205a84a9ee6a1250c0a02341f8dad585b106648b1eda6391b3a9104768b669c

SHA512
31c09026ea04be40caf7555b555476371b1ca0e48aadd75abcf067814633e8f9d315a9ae855d4c72f3961683cb0acc10f0a2bb9239d3274eb6eeffcf925f5e44

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
143KB

MD5
f8c81b3921b9a553d206a74341ad0c35

SHA1
51b295629ee77ca8dc585379a6029f591646b388

SHA256
5d4c39eb37e42c1f85a877893f752f3fcde3e7c0a1c330f3900666e1c00134f9

SHA512
ddc9a4d30b657cdab104a2f8f3949cb11975e3fc075ba849e4f89e727dcc502fba98d9d1b29842ce5b3cee1623d1fe90696fbd4230d8c0bfe980257f97f54ab7

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
143KB

MD5
8000ca01ab8245237a6963bc357bedd2

SHA1
2428bb24405a8d1cb6278ea72e6d6eeb402c07aa

SHA256
2ceed806faab34afd6d1144a53778ae3337e814d84352d6dc022d620027a9472

SHA512
5d0302f1ef426584eede32a088ad99aa4c39c56d7329878b2c302308df69cf279e625d66dd4437de703f22b180dcff2ebb56cbdd723b263594747703390a175e

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
143KB

MD5
e5d4c223a264cfea221bb1104ec9a922

SHA1
818f3f9a6c7328547fcf48bf6d2cb8c3785d435f

SHA256
be16628bd2a9cbd2b4ff4de301a5c7acf5c49fa2c6ca37c0c68fedc7c9a6e3be

SHA512
bf75670ff9c904dae0b61d6f1c9b1e7fbde0a3d43dfbb85d0e87eeff1e75f444663aa9c02452f3d26e2a5ccf40ae127fd7410f062ef1031072423d9e590007e2

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
143KB

MD5
dcc331527845a3363fd227f0c4786a26

SHA1
96b66619e69a5fe987a6cc5e50a2cac6d4ee559e

SHA256
afb1a1ef11e62f7b18f4833395bdec5002073080bbcad7a856881002caade884

SHA512
c0ab8bd88b768169436012d3bdf42ad58ae074d9dc568ddbdd79580466c83611e711b410f5e01d284b3a21959ab06847d549e488121bb21fe98391c30ad1c81e

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
143KB

MD5
32d7cd2b5cc90809a4beb0e42f5739c5

SHA1
7cb9865abb01063d82d47bd2c93594270aeada1a

SHA256
e8e8169f59eda03db107c381684a7da29522b6e756cce48cb8faed1dd1bddfdb

SHA512
7493e65b0c17399acced2a59dcd77de647f0afe27c83af9ed2db28c107c25a5210b13b473d6de13fc5366b3b53e799b117ae0637b62d7d8e71f87b1184ecea6c

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
143KB

MD5
84b3a5b8d823ab89f02ce015f2aaf79e

SHA1
30a879261da8e173007d324b157d7a287aff0aec

SHA256
fccf64ef8a0c32f4081ab876a529d2737765318098c37351fb67432a34dd17d1

SHA512
4269a231d24f13dd73ad4c4e9c22903a0db99d5ab43990683c2ce6e8c3c88b28fc261a07b543b3567766756d30547fde6494ae5dd7cfab7e434ab4ef4b0ad279

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
143KB

MD5
a77ae0421db71e72fbd8abc9d95b7d8b

SHA1
7452ce13c4239020c08cd8781b56f74265af97de

SHA256
cbfbe6afc431e86934137c3d0ec6c01621e9defa253da9384b973ba058033b40

SHA512
41a86f64e00231e8c35049ce5332ac8f5f0f6345ea35d7bb8ca238e860b7574efb44f77a1dd9b1655065329b3ae0d9c67c93ab5180e70154d57efa4cd4d35c88

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
143KB

MD5
290b83c25a98d1ca046c0fd01449a3bc

SHA1
ed5f2cf315354eec0bc22afda547fdfc32cb3765

SHA256
513aad64a7f5499ae76b8c82acf7d0a0336dbfc792dea632a7f5b4e70c90992e

SHA512
0c4e36cb3f6a0c2269105123c29c1618e521e1bfcead1cf8d5b5affba326fe822a8c50e6cf82c9f05a38fad0375b1509b2f2e222019800e60aceddf2c0fea3a7

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
143KB

MD5
7bda6a65a1d557550ea9a1f18eec6b6d

SHA1
a2fa5a71761853c83b1ddc042668dcddf73cfe91

SHA256
5783e51c47aee441ebb2914a052842021471412f31bf5d987c60fbed9ab17286

SHA512
50f49f0a6c7230c7a6ee8b1b813f2b55ad1ebafea1cba18535c78f58e5a313f202358f900dbdd8f065b6a314dacf646f263b05fd1c00e6778a32edc1cabbede7

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
143KB

MD5
c10db233dfffb5f2c22839964026fd6e

SHA1
b8a813b8cb1a26d16ad5843dd47a4f3d37af56c8

SHA256
4f42fe248aa3a8c451998543876d1b218281502c22060fdd7a2a58db6db452ef

SHA512
3ce887d9d9909d95b39f1335c94576ba25a3c5d7ca8cab45b390f8e782f673088bb7c6c61ca40c917cbd6261707d71fab5f1a290566d3332e8229b19d3037fb5

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
143KB

MD5
4dbaf77f7adcc3b32025c3186951c717

SHA1
6ffc05d02e249a29a4a038de1c150ad1b68718ed

SHA256
75386889086d11d559c3c376d0561c9abd6da2a427ce3935d1d2cd722f767290

SHA512
c7b0f1c6b49d38e5d1670109183b42dc69b7a0375da724169c7e0da75ff28ac17c222cf82ab342b6b10e102aca65d876ce1e6052d42009c64bc067f544a65100

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
143KB

MD5
f577acde9d9dd81b555323a80765303e

SHA1
fe6e99a259501d433d6f934af6e037cc085c1ebf

SHA256
8a8a7db5f8c58503fba6c0262e24c860af410dcf26efd12a81f703c63226e681

SHA512
4a1a5f20769665c3fb275e7f05df256de37d8d794fb8e42bd40dcbcf0820cf66940731cd10bb6fbe9213818ae8f732d260600a749ca96c75c4495b405c657a7e

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
143KB

MD5
535d480e246e7b6c116ca58160009a95

SHA1
01f5408261d38ea688d688fb9ce65a073dd38497

SHA256
3567ade822110cfe79f01d406b567b2ca888c46052ca7a3654ac2586d19e8181

SHA512
f095b5df35632e685306b55b69036f16f1757aaad007803bf1c19b0b2f3f0905f06b1db9db6d99c1c100d02a9a6990edac04aa08e814a5033d8f342abd3fba4c

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
143KB

MD5
c19aa0a1023c9bd4fa34d8258ec76cac

SHA1
6d4502334a26060d2d7c4927e00f3b613acf5086

SHA256
3a5e02e30f4e8af5e857f0bde08b511ea1ce8536482e3b5aa8af4f7df900fdc3

SHA512
7610c3a3b3008505d529f848f3eb49908b3839dbfe87d96eb07625415dccc08e228189ee3ba0989c2368f5fc6aeafcb4883b2a6045d0a348624f037a848d7e24

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
128KB

MD5
50de371331d196bc32622d2c8b519192

SHA1
51df91ea0fddb095fe57a53bcf9b2af436a68b67

SHA256
4e142c327899342547e4e9fd4113a55e2edd747c642ebf2a56fec42dab4359ee

SHA512
26f7617006d858301b2468e9d762592599a837ddacf795dae2b3e0e29af019331bb43357474a29c9765b8d78c4474dd796015f4a62843236d5769eb7748604bb

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
143KB

MD5
13b829d8c42c82f8a056f39b767e84f8

SHA1
e54dc5a7477efa62dd8a77d156c90067c314aa0d

SHA256
f1c63e61ea72bd34e618a090ca2a639bc2699a2344b0c1fdbffdc18327499265

SHA512
fae350ef7a82be1890681d3236570243e78c986856cc1070d8a6d5ef0390ab506765c0163487d78f5fd268f1703f7dc88c9bba9d51f25702aa826513c431fe7f

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
64KB

MD5
ee0300464d3c2abb19a900428dbda5e2

SHA1
47948ac82f366fb9f91919869e049099d6e0f897

SHA256
2682c858752512e8ff7be05c0e6106083981dc8c44e2dc69b46456e87adbd9fb

SHA512
f9065c1bf21ad540f7cded9e6a7176fc0c0ecda362fae5837094d20ffd8bc7961750d862cb02a519de4978fe3f62b8f96ef45dde58d14e24b66eb03964e11b10

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
143KB

MD5
6742d1f33884ca3991fb13c3f97b2037

SHA1
8380be220b3da10b8debb394913996991308ba10

SHA256
f009fde14fa1d33dfc6c58806e9d630c360a7cc4a6faa83e59c37517f548836f

SHA512
0c6d254a5a914abd8cd44cf24444f3cf1733bbf47671017281aace4418c28a51fe861d5c2fb7fcbdc543b1f49b2f7dbd138d004180f2c07415809b79ff3228dd

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
143KB

MD5
1a281f02043e52208a14752933638ae3

SHA1
a5c2c9ec51e9b0497ee02f41ca615c4a2a2df3fd

SHA256
90c813fbacb9e211eb0e965177c572df8a04ea3137c65bbfc5f3ec7d49e72330

SHA512
013f64d52811c5a5be4b44e3ef5912ec8dcf390aff81efd0ba51c48bcb60b858492673512611838df285662fa5bfa41c1db846a3b6119bb87f25957066424dd0

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
143KB

MD5
bbac287dca2237b168926821396d6c34

SHA1
5964bd1d5e7817282d8f4af16a77ab5169ffcdf1

SHA256
8b662a82c0fce44422fc8887d0f0176a4a6214aa1c075e89529cd9717320dffd

SHA512
42604dc77ac1e8b89f9c6368672c41bd16423de96bb0955a650c4bac2a6a63cb8c99392b31835609dede219bf6f29d0d0e366e8452648378f9acf0475f642ccc

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
143KB

MD5
86a36f6b45a2f116e6795974ed9d29fe

SHA1
0c3956f4d30a7021b145d26c17374ddd278bdd12

SHA256
24a3e015e6411f7cf2408c9f9b47ca468df4cc1e2e36bfb3df04176c2e4df29c

SHA512
2ca66568e803520c6573e86bb876e0d2289735b524543211df20ff840bfd8dd6c27fbba568eca27de7027596c88dd5746487a4e33937a971d95fe8fb50ac4436

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
143KB

MD5
01a3ff86e59331ea0f9764452bb1e9b8

SHA1
cea6e8aef97298f0ca643df75942ee07ec54d74a

SHA256
68f5fe9e006665e801ffec393503368b65fb4237536115cc498796d7a9205d60

SHA512
51a1a5e4564ae6f1a10dfd98cf729e0cdd27ec23047f8400d5e052757d8dfdd67c45822ae08bb2b717e9aad32c30096008e1d7d919c4f8ea3284becbbf15574f

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
143KB

MD5
d4d4ef8a84cfcf82d669cd6588872a0e

SHA1
f5f534018ade928f6b0ed76ce72a2fd998ba07b5

SHA256
55cf00ea177026bbade3809ff489774f1f8f22a35526b4f1192ff2e1638f30f7

SHA512
9b001fc1ff13de3269b7ae2abfbf38e87828b8c5f54a564e47e23b33f8a3bfbdfbd545dcf56b36a9a72fade3e1e61305fa7fe03d06aab38817853c11b4a0d7ec

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
143KB

MD5
acfb96d93c820b302a46f339b6fe826c

SHA1
b1695b06246ba4efb407cc8eaaae318259de8353

SHA256
2031e84e0d9982bceecebff1185ed33a87d31845d1717472c272625202fc08d7

SHA512
d4fe14bbf408a05193e0d9bda02682f481c8502b510e47d0d01d13f5d023b31539a78848d2db7682b0939784d3ddee2d79b27d1bb6619a1c6f650c63e57ce133

Download Submit
memory/60-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/936-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-530-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-536-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-591-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-542-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-601-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-506-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5128-592-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-603-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads